Jason (Jay) Healey joined SIPA on May 4 as a senior research scholar and director of a new initiative on cyber-conflict housed at the Saltzman Institute of War and Peace Studies. Healey brings to SIPA extensive, diverse experience in the public, private, and nonprofit sectors as well as the U.S. military and intelligence.
Healey served most recently as director of the Atlantic Council’s Cyber Statecraft Initiative, which focuses on international cooperation, competition, and conflict in cyberspace. (He will remain affiliated with the council as a senior fellow.) From 2003 to 2005 Healey worked in the White House as a director for cyber policy, advising then president George W. Bush and helping to coordinate U.S. efforts to secure U.S. cyberspace and critical infrastructure. Healey has twice worked for Goldman Sachs, directing response to cyber attacks and building a crisis management structure to help dealing with natural disasters and more. As vice chairman of the Financial Services Information Sharing and Analysis Center, he helped lead collaboration on critical security threats facing the global financial services sector.
He spoke with SIPA News about cyber conflict, plans for SIPA, opportunities for students, and more.
As director of the pending initative on cyber-security and -conflict, what will you and the center be focusing on?
Dean Janow asked me to help reinforce that SIPA is thinking deeply on a broad variety of cyber issues. My specialization tends to be on the dynamics of cyber conflict: how is fighting in this domain, especially between nations, similar to traditional conflict by air, land, and sea. But we’ll also be looking at business risk, systemic risk, dependence on the Internet and ICT [information and communications and technology].
So I’ll be researching that, teaching some new classes, and helping to bring things on campus together so both SIPA and Columbia are known as an exciting place to study and research these issues. I know we can be the best place in New York to study this, and I think we can be one of the best universities for this anywhere.
What is the relationship between cyber conflict and cyber security?
It can be confusing because it’s an emerging field and we don’t have all the language down yet. And the use of cyber as an abstract term can be unclear: Some people want to talk about digital activism and democracy, others about cybercrime and espionage, others how to get cooler software programs and starting new digital companies.
I don’t consider what I do to be cybersecurity—that’s someone at a keyboard who helps secure and defend a system. I’m interested in the top-level dynamics between states and how they’re using this to coerce or influence or steal from each other, rather than what’s happening inside the metal box on your desk.
However, we will be looking to tie these and other related areas in SIPA and Columbia for better research and more cyber-related classes for students.
Are countries really stealing from each other at national level?
Oh my god, yes! The history of cyberconflict goes back to 1986, to a cyber-espionage case. German hackers broke into U.S. defense facilities and sold what they found to the Soviet KGB. It’s been constant espionage since then, with the U.S. and China at the forefront—for different reasons.
Nations have also begun to use this for destructive purposes, going at least as far back as Russia-backed attacks on Estonia in 2007. Stuxnet and the attack on Sony were both major attacks. But at the same time, as far as we can tell, nobody has yet died from a cyber attack.
If cyber conflict is, as you say, an emerging field, what kind of opportunity is there for SIPA students? Do would-be specialists have to have a background in computer science?
Yes, we’re still in the infancy of the field. On the plus side, the relative youth of the field makes it easier for younger scholars to get their voices in and make a difference.
It certainly is tougher if you have no technical background. But a lot of what I advise students who are looking to get into cyber is to build a specialization based on what you actually know.
As an example, I had one student, an undergraduate, who felt he had nothing to bring to the field. But he had told me that he was fluent in Italian, and a dual citizen. It was obvious to me—even as an undergraduate, he could be one of the top experts in Italian cyber issues. If he focused exclusively on Italy and EU cyber policy, he could be one of the smartest people around in that area.
I’ve had similar conversations with people with Middle Eastern backgrounds, Russian backgrounds—the more you can have something interesting and a hook, that hook helps us build whether you can make a difference in your studies on cyber.
It’s important to legitimately be seen as an expert. Something a hiring manager really appreciates, even if he’s not hiring in that specific area, is the knowledge that you can become an expert about something.
Cyber is a good way for SIPA students to build up their resumes because it’s one of the areas where budgets are continuing to grow – there are a lot of great jobs to be had in the area, and we want to make sure SIPA graduates are prepared to come in for cyber related jobs. That’s one thing we’re looking to build our projects around.
Can you say more about upcoming projects?
Well, [in March] a SIPA team just came in second place in an event I run at the Atlantic Council, the Cyber 9/12 Student Challenge. Most cyber challenges for students pit the geeks and hackers against one another—they’re asked to defend a system and get into other guy’s system. Ours is the first and still the most important of policy-oriented competitions. It’s built around giving the president policy advice after a hypothetical major cyber incident. Now that I’ve joined SIPA, Dean Janow is keen that we have greater role for SIPA and maybe even host it in the future.
Your own background spans the private sector, the public sector, the military, academia… how does it all tie together?
It’s helped me significantly. So many people who enter this business stay in one field—technology, military, chasing cybercriminals—so the way I’ve come through really has been an advantage in looking across so many broad areas. It happens to be the direction that my career took me, but the research and public policy solutions that I advocate build across all those sectors.
Cyber conflict is pretty clearly relevant to students pursuing International Security Policy. Is it relevant for students in other areas?
You can tell from my own background that I’m coming at this from a cross-disciplinary perspective. One thing that has plagued this field [is that] people get stuck in the mindset of the [sector] they came from. For the benefit not just of students and SIPA, but of the field in general, the dean has asked me to come up with cyber primer class.
My own background is more in line with ISP but we want to make sure we’re engaging across the school. So that if you’re a student interested in development, we want to show what’s there for you in cyber; if you’re in media and advocacy, we want to show what’s there for you.
Cyber is an exciting field. I thought I got into it too late when I joined in 1998, but it’s only become more dynamic since then.
Any final thoughts?
I’m extremely pleased to be here at SIPA – not just to have more time to research but to have time to interact with students and teach. I look forward to putting SIPA on the map as an exciting place to study and do research on cyber issues.
Interview has been edited for clarity.